The DC Federal District Court issued an opinion in Ciox Health, LLC v. Azar, et al., Case No. 18-CV-00040 (D.D.C. January 23, 2020) that reverses portions of guidance issued by the Office for Civil Rights (“OCR”) in 2016 related to the fees that a healthcare provider may charge for medical records that are requested by a patient and directed to a third party. The original HIPAA Privacy Rule included provisions that a “covered entity” (1) must provide patients the right to access his or her protected health information (“PHI”) within a designated record set and (2) could only charge a reasonable cost-based fee for such access. In 2009, the HITECH Act amended HIPAA to provide that a patient could request that the patient’s access to PHI maintained in an electronic health record (“EHR”) be directed to a third party. In 2013, the Omnibus Rule further broadened the third party directive and allowed patients to make this third party directive for access to PHI contained in any format. Lastly, in 2016, OCR issued guidance that applied the fee limitation from the original HIPAA Privacy Rule to situations in which the patient directs the PHI to a third party.
If a relationship with physicians or other referral sources has been structured to carve out Medicare and Medicaid patients to avoid triggering Anti-Kickback Statute requirements, it is time to review the compliance of the relationship.
A Missouri federal court granted a motion to dismiss this week in a case against a provider and medical record processing company. In the case, a patient alleged that a “search and retrieval” fee imposed in response to a patients request for access to medical records violated the Missouri Merchandizing Practices Act. In dismissing the claim, the court only addressed Missouri law as the allegations did not involve alleged violations of HIPAA. The outcome in this Missouri case is similar to the outcome in an unrelated Tennessee case against the same medical records company that was dismissed earlier this summer. The Tennessee case alleged multiple violations of Tennessee law relating to the fees imposed for access to medical records, using HIPAA as the standard for medical records fees. In dismissing the case, the Tennessee court found that neither HIPAA nor Tennessee law provide a private cause of action for excessive medical record fees. The Tennessee case is pending appeal.
In the wake of the record setting $16 Million dollar settlement and resolution agreement with Anthem, Inc, the Office for Civil Rights (OCR) and Office of the National Coordinator for Health Information Technology (ONC) released a new version of their Security Risk Assessment tool. The new tool and recent settlement agreement renew the emphasis of OCR on the performance of HIPAA Security Risk Assessments by covered entities and their business associates.
Effective Thursday, April 26, the Missouri Board of Registration for the Healing Arts (MBHA) and the Missouri Board of Nursing (MBN) loosened the regulatory requirements which dictate the maximum distance between the location at which an Advance Practice Registered Nurse (APRN) practices and the location at which his/her collaborating physician practices.
Effective March 1, 2018, the Missouri Department of Social Services (“MDSS”) – Mo HealthNet Division (“Mo HealthNet”) began working collaboratively with the Missouri Department of Mental Health and the Missouri Department of Health and Senior Services to enhance the Mo HealthNet Opioid Prescription Intervention (“OPI”) Program.
The Tax Cuts and Jobs Act of 2017 signed into law on December 22, 2017 by President Trump added a new deduction for noncorporate taxpayers (i.e. S corporations, partnerships, sole proprietorships, and trusts) who have qualified business income. This deduction, found in section 199A of the Internal Revenue Code, is also referred to as the “business pass-through income deduction.”
With the effective date for the Comprehensive Care for Joint Replacement (“CJR”) program now upon us, we wanted to take a moment to highlight key steps that affected hospitals should be pursuing if they wish to realize the benefits of – or at a minimum, avoid potential adverse consequences of – this new payment model.
The Centers for Medicare and Medicaid Services (“CMS”) provided over $20 billion in Meaningful Use incentive payments to hospitals and eligible professionals who attested to compliance with the EHR Incentive Program (the “Program”).
On February 3, 2016, the U.S. Department of Health and Human Services issued a statement and released the opinion of the Administrative Law Judge who found in favor of the Office of Civil Rights (“OCR”) determining that a home health agency, Lincare, Inc. (“Lincare”) violated the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule requiring Lincare, to pay $239,800 in civil money penalties. All covered entities should review the opinion and the OCR’s comments and begin taking any and all “necessary steps” to ensure HIPAA compliance and to make certain protected health information is adequately protected.